Cisco last week issued two warnings of IOS security holes - one could allow unauthorized users to access a network, the other could leave IOS-based Cisco devices vulnerable to a denial-of-service attack.
The authentication vulnerability could allow a user to send specially doctored packets to a router, doubling as a VPN concentrator, and gain unauthorized access to a network. The denial-of-service vulnerability concerns routers or other IOS devices running Secure Shell (SSH) servers for remote management; several conditions could allow an attacker to send commands that cause the router to reload, or that exploit a memory leak problem that depletes the device's resources, Cisco says.
The authentication vulnerability affects IOS-based devices running IOS Easy VPN Server - an IOS feature that allows a router to act as a VPN concentrator by providing authentication and encrypted remote access. When this service is enabled with Extended Authentication (XAUTH) turned on, and the device is listening for traffic on Universal Datagram Protocol (UDP) port 500, an attacker could send malformed packets to this UDP port and cause the device to authenticate the illicit user to the network, Cisco says.
Another vulnerability involving XAUTH exists on IOS VPN services, where under certain conditions a device can be tricked into skipping certain authentication processes to give an attacker unauthorized network access.
These vulnerabilities affect any IOS device supporting Easy VPN Server XAUTH version 6. Cisco has provided an IOS upgrade that fixes the problem.
The remote management vulnerability involves IOS-based gear running SSH version 2. A device could be made to reload if an attacker sends certain commands to the SSH server under a few specific conditions.
Cisco has released software that patches this vulnerability. Users can set up access control lists that block SSH traffic as a temporary workaround to the problem, the company says.